Hoxhunt training mirrors the tactics of real-life attacks


We at Hoxhunt want the security training to mirror the real world and the real attacks that we see every day. Real attackers do not have the same moral compass as the defending side, and we want to simulate that to the best of our abilities. This is why we include some of the more sensitive topics in our training. We will never send a simulation that is meant to inflict fear or embarrassment, but we do want to simulate similar emotions, so that you learn to identify these during the training.

Educating employees with a wide arrange of topics used by attackers in the wild, help users to look out for the emotional reactions that some of the most intelligent threats cause. Watching out for the emotional responses is one of the key aspects of security awareness. By having all Hoxhunt supported threat categories and content available for employees to learn from, allows us to improve those emotional responses. If some key threat topics are disabled, you might give the attacker an advantage - if you do not include some topics in the training and a real attack is executed with that exact topic, your users might not stop and think about the message before reacting to it. Many of the threats that utilize more tabu topics might even lead to the user being too embarrassed to report that they’ve fallen for one. Keeping your training curriculum as wide as you can will help you in the long run.

We feel, that it is extremely important for users to be left feeling positive after a learning experience, for them to really embrace the learning. Utilizing these topics in our training is a carefully considered decision.


Why do Hoxhunt simulations expire in 4 days?

Simulations expire. The simulation will be considered missed if you do not report it within 4 days of receiving it. And why 4 days? Real phishing also gets old and the longer it takes to detect and analyse it, the more risk it can pose to the security of your company. With this period we want to train you to be quick to detect and report a fraudulent email.

After 4 days you can report the email, but it will still be considered as missed. However, you will still be able to do the microtrainig and earn extra stars.

What kinds of brutal tactics do real attackers use?

Producing negative emotions, such as fear and embarrassment, is highly effective for the attackers. Attacks, such as sextortion scams and emails abusing authority, are common nowadays. Other common topics are money, employment, complaints, etc.

Employment termination

During the COVID-19 pandemic and beyond, many people are enduring the worst years of their lives between lay-offs, corporate restructuring, and the loss of loved ones; meanwhile, others have stayed healthy and prospered financially. You could say that the previous year has covered the whole emotional spectrum, and attackers have responded with verifiably potent phishing campaigns hooked into emotions.

After struggling through so much uncertainty, how horrible would it be to receive a contract termination notice from HR? The below example is from a campaign utilizing an extremely emotionally provoking topic to increase the chance that the recipient will stop thinking rationally and just act based on instinct.




Read more: Emotional trigger phish: Off the Hook - Hoxhunt



People do all kinds of things in the privacy of their own homes. Some activities, like cooking, they are willing to share; and others... less so. Viewing adult websites falls firmly into the “not keen on sharing” category. And Oh la la, imagine the fear and humiliation of being threatened in an email message with: “I know what you looked at last night. And I recorded you doing it.”

Below is a sample email from a sextortion campaign.


Because this is such a touchy subject, many can even feel too ashamed to speak up and seek help. Desperate and alone, they will just pay the attacker instead of asking for assistance from their IT department or the authorities, and risking public humiliation. This is exactly what the attacker wants. While this is an obvious scam for some, others might not be willing to discuss a sextortion email with anyone. Therefore, educating users beforehand to detect these is extremely important.

Read more: Porn scams, Ooh la la - Hoxhunt


Authority impersonation

Authority impersonation phishing attacks are nothing new. The topic never gets old and the technique clearly works. They can be carried out in numerous languages exploiting numerous official services around the world, from North Carolina to Belgium. The idea is to mimic a governmental authority or something similar in order to set the phishing hook.

Below is an example campaign that has been very active during 2021, showing how extreme topics these malicious actors use to get a response.



The text states that the email recipient has been accused of crimes involving child pornography, pedophilia, exhibitionism, cyber pornography and sex trafficking. The attacker is again using the name of a real, high-ranking Europol officer to make the scam more convincing in case the victim Googles the name.

Attempts have also been made to create a sense of authenticity by adding The Ministry of Justice and Europol logos. There’s also a hand written signature and several fake stamps added at the end of the email. Even so, the attacker is a bit sloppy as they are using a different name in the introduction and the final signature. These kinds of small mistakes are good ways to spot a phishing email.

The email proceeds to threaten legal action if the accused doesn’t respond in 72 hours. We have seen emails in this campaign threaten to:

  • Publish the name and photo of the accused person

  • Send a further report to prosecutor

  • Register the accused person as sex offender

  • Transmit the case to national news channels

  • Broadcast the case to accused person’s family and loved ones

Seeing these accusations and threats, even knowing you’re innocent, might cause panic in some people. Thinking there’s some kind of tragic misunderstanding, they’ll want to clear their name. Unfortunately, that’s exactly what the attacker wants, to induce their reply.

Replying to the email leads to a scam in which the attacker tries to steal the victim’s financial information and other personal data.

Read more:

Top 4 Official Authority Impersonation Phishing Attacks of 2021 - Hoxhunt

Hit and run phishing attack - Hoxhunt

Want to learn more about the tactics criminals use?

Check out our Off the Hook - Threat Stories library on our blog: https://www.hoxhunt.com/blog where we gather stories from the frontlines on the latest attacks we are seeing out in the wild. 

Was this article helpful?

99 out of 100 found this helpful

Have more questions? Submit a request